A Conversation About My Journey in InfoSec
An Interview for ITSP Magazine’s Focal Point Podcast
This conversation was originally recorded with ITSP Magazine for their Focal Point podcast. The below questions were used to guide the conversation but are not a transcript and differ a bit from the podcast episode.
You can find the podcast episode here or on Apple Podcasts, Google Podcasts, Spotify, or wherever you listen to podcasts.
I currently work as a Senior Engineer on a security tools team at a pharmaceutical company. Most of my day-to-day involves implementing new tools, optimizing our existing tools, and handling 3rd-tier escalations related to the tools. I’m also responsible for helping identify areas of improvement and discovering and researching new tools or solutions we might want to consider purchasing or implementing.
On the side, I have a blog called Dark Roast Security where I publish mainly cybersecurity content, but also articles every now and then about corporate life, productivity, etc. I also recently graduated with my Master's Degree in Cybersecurity.
Can you talk a bit about how you got into cybersecurity?
My first cybersecurity role was an opportunity that popped up after I was laid off with the rest of the IT dept at my first job. I didn’t particularly have an interest in security yet because I was still learning what corporate tech even involved and had minimal knowledge of the security space. I was working as a systems engineer but my manager at the time had started assigning me to security initiatives, like server baselining, patch management, etc.
When we were all laid off, everyone was reaching out to their network and trying to help one another out. It just so happened that someone who had previously worked with my manager was looking to bring in a security analyst to help build out a Sec Ops program.
It was a unique role because it was up in New Hampshire, about two and a half hours from where I lived, but I was unemployed with a year of experience and I didn’t have any other prospects, so this seemed like my “big break”. I worked there for a little over two years and it gave me a fantastic foundation. I’ve since moved on, but that first job was invaluable if I consider where I am now.
What are your thoughts on traditional schooling/training versus being self-taught?
I’ve been out of college for four years now and I’d like to think the IT and security programs have progressed since I graduated, but I can tell you I graduated with an undergrad degree in Info Systems and nothing of what I learned there was valuable to me in the real-world.
I’m not trying to deter people from pursuing a college degree, because there are definitely benefits, but I think tech degree programs need to do better with exposing students to the wide range of options in tech and security, as well as do better with providing relevant hands-on assignments.
I like to tell the story of one of the interviews I had while I was searching for an internship the summer before my senior year. I remember the phone interview was in between classes so I had driven to a nearby Starbucks to take the call from my car. After the first 5 minutes, I was already feeling discouraged because the hiring manager was asking me question after question that I kept responding “no” to:
Do you know what Active Directory is? No
Do you know what PowerShell is? No
Do you know what a command prompt is? No
I was sitting there like wow, this is going terribly. The last question I was asked was, “if you had to paint my office, how would you go about doing that?”
I remember explaining that I would ask him to pick out a color and then coordinate a time where I could come to paint the office while he wasn’t there so as to not disrupt his day. I was so focused on the coordination efforts involved that I forgot about the supplies to paint with, so he asked “and how would you actually paint the room?” I remember laughing nervously and responding that I’d go to the store and buy supplies beforehand, brushes, tarps, paint, etc.
To my surprise, I ended up being offered the internship position, which led to my first full-time IT role.
My point in explaining all of this is that my education didn’t help me get that internship. I look back and still feel lucky that the hiring manager decided to take a chance on me. He saw something in me, along with an opportunity for me to learn all that stuff I had said “no I don’t know what that is” to.
Based on that experience, I think we still have a ways to go in terms of having degree programs for tech and security that actually prepare students for the workforce. As a rising senior, I should have known what Active Directory was, along with some basic command prompt and Powershell skills.
Colleges and universities need to focus on teaching corporate IT skills like networking, basic troubleshooting, administration activities, and of course, security. We need to do better at teaching students what it’s like to work in an IT department and start giving them the foundational skills they need to get a job.
With all that being said, I think self-teaching is what a lot of people in the field are doing today, including me. All of the knowledge I have today is the result of hands-on experience and driving my own learning. I took time to research topics I struggled with, like networking, and put in time outside of work to become more familiar with it. There’s definitely value in putting the work in yourself to learn various topics you’ve discovered a passion for, but degrees also still hold a lot of weight when it comes to the job market and salaries if you ask me.
What made you start blogging about cybersecurity and how did you come up with the name for your blog?
This might sound cliche, but one day I just woke up and wanted to do more. I’ve never been the type of person that settles for mediocrity and I think that has held true as I’ve grown from a student into a professional in the field.
I was getting a bit bored with my day-to-day role and I think I was missing that sense of fulfillment people get when they feel like they’re making a difference and helping others. I had the idea to start writing about my journey in learning ethical hacking and it just kind of blossomed from there.
Over the past year and a half, I’ve really started branching out and writing about my own experiences in the industry, but also sharing content that I think will help students and entry-level individuals in the field.
As a high schooler entering college, I had no idea what I wanted to do in life so if I can help someone discover a passion for tech or infosec they didn’t know they had, I’m happy. That’s been my goal since the start: create content that helps people learn, but also shows others it’s okay to be confused or intimidated by a system or technology.
The name is really a result of my wanting to marry security and my obsession with coffee! I spent an hour or two brainstorming names, I’m sure I still have the list somewhere. I was using company name generators online which were useless, and in the end, the simplest name popped in my head: Dark Roast is my go-to coffee roast, so I thought of “Dark Roast Security”.
Do you think putting in the extra work outside of your professional responsibilities has opened up more opportunities for you, career-wise?
Definitely! Not only has it helped me grow my network and open doors for me, but it’s also helped me grow professionally as well. I like to think I’ve become the professional I am today because of my writing and I continue to grow and evolve with my blog.
I look back at my first few articles when I wrote about learning the Linux OS and I can just see how far I’ve come. I think in the security industry especially it can be hard for us to find what we’re truly passionate about. There are so many different roles within the field and putting in time outside of your day job is where you’ll discover things you didn’t know you enjoyed.
Being more active on social media has also been a great way to grow my network. Just sharing content on the platform led me to connect with hundreds of other infosec professionals. My network has grown from ~300 people to ~2000 people just from being active on the platform; liking, sharing, commenting, etc.
You recently earned your CISSP, are you studying for any other exams? What’s next?
Having just finished my master's degree program, I haven’t been studying for any other hardcore exams recently. However, I have recently found more of an interest in threat intel and the MITRE ATT&CK framework, so I’ve been doing the MAD course and certification when I’m not busy blogging.
I think I might start looking at the CISM or CCSP (or both!) as a next step, but I’m also considering going for a certificate in journalism. I’ve secretly been toying with the idea of taking my career in the security research and reporting direction, so I want to explore journalism a bit more and see how I like it.
This just goes back to what I said earlier about how many opportunities there are in the security industry. I hadn’t even thought about pursuing a writing career until I realized how many cybersecurity researchers and writers are out there behind all the vendor blogs and threat intel production. Even now, five years into my tech career I’m still learning about myself and figuring out where to take my career.
What do you enjoy doing outside of work?
Ask any of my friends and they’ll tell you I’m a huge bookworm. My friends actually created a “personal book club” for me as a Christmas gift this past year, so I have 12 books, one per month, to read this year, on top of some books I had already gotten for myself.
Outside of reading, I like to watch TV like everyone else! My favorite shows are Grey’s Anatomy and A Million Little Things, among others. And although it sounds like I have no life, I do love going out with friends every few weeks! I love hitting up some of the vineyards in the area or going to happy hour somewhere where I can get an espresso martini.
How do you manage work/life balance?
Ever since my first year in tech, I’ve had boundaries. In my first IT role, I quickly realized that I wouldn’t be logging off every day with everything on my list completed. This was a huge shift for me compared to my previous job as a customer service rep, where I left every day with a clean CRM dashboard.
After I accepted that there would always be work to do, it was easier to manage my work/life balance. Of course, there are always going to be days or weeks where I have to work late or put in more hours than usual, that’s just what comes with being in security, but I make it a point to turn off the work thoughts when I log off for the day.
If I didn’t get some items done, I move them to the next day's to-do list as a way to kind of “close the day out”. If I opened emails but didn’t respond or take care of them, I mark them unread so don’t lose sight of them for the next day. These activities help me wrap things up for the day so I’m not worrying about something I might’ve forgotten to do at 8 pm when I’m trying to relax.
The other thing I’ve been in the habit of doing over the last year is doing something for myself each day. Whether that’s taking an hour or two in the morning or at night to read a book, spending time working on my blog, or working out. Dedicating time throughout the day to do something I want to do helps break up my day and ensure I’m not sitting staring at the screen from 8 am to 6 pm.
I think it’s important to make time for things you want to do during the week, not just on the weekends. It helps reduce stress levels too and avoid burnout! I know some people might struggle with this because they have kids to take care of or other commitments, but I would argue that there’s always time in the day that can be found to do something for yourself.
What’s the best advice you’ve received about getting into or advancing in cybersecurity?
The first thing that comes to mind is to invest in yourself. I was having a conversation with a manager when I was studying for the CISSP and I was voicing concerns over how much money I had spent on various study materials.
He didn’t try to empathize with me or suggest other free training materials or remind me that I’d be able to get reimbursed once I passed the exam. Instead, he simply said, “why are you worrying about that? If you can afford it, invest in yourself now, it’ll pay off later.”
I know it’s not always easy. I know firsthand how expensive some security training courses can be, but that piece of advice hit home then and it has stuck with me ever since. When I was deciding whether or not to spend the $40 for 6 months of TryHackMe premium, I heard “invest in yourself”. When I was contemplating the $300 for the MAD subscription, I heard “invest in yourself”.
I’m not suggesting you go spend thousands of dollars on a course by SANs or ISC2, but it’s important to always invest in things you think will benefit your growth and career. And investing in yourself isn’t just about money, it’s also about advocating for yourself and your development. It can mean asking your manager to attend that conference or training course you’ve had your eye on but can’t afford on your own. More often than not, employers want to keep their employees happy and learning, so they should be willing to help you do that.
Thanks for reading. If you enjoyed learning about my journey in InfoSec, give the podcast episode a listen!
This article was originally published at https://medium.com/dark-roast-security on March 3, 2022.